3 Replies Latest reply on Jan 13, 2011 8:11 AM by alesj

Security domain for JMS authentication is blacklisted when implementation is in EAR

martin.hynar Jan 6, 2011 4:54 AM

Hello everyone,

there is an interresting problem with security domain used to authenticate users connecting to JMS resources. The thing is that, there is custom implementation of authentication module (more constraints required) and a configuration of login-module that references this implementation.

<application-policy name="CustomSecurityDomain">
  <authentication>
    <login-module code="custom.authentication.LoginModule" flag="required">
      <!-- some module options ... -->
    </login-module>
  </authentication>
</application-policy>

The class custom.authentication.LoginModule sits within EAR. Then this authentication module is configured to be used by JMS authentication:

<bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
  <!-- default security configuration -->
  <property name="defaultSecurityConfig">
    <![CDATA[
      <security>
         <role name="jmsrole" read="true" write="true" create="true"/>
      </security>
    ]]>
  </property>

  <property name="securityDomain">CustomSecurityDomain</property>
  <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>

  <!-- @JMX annotation to export the management view of this bean -->
  <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>

  <!-- Password Annotation to inject the password from the common password utility -->
  <annotation>@org.jboss.security.integration.password.Password(securityDomain="suckerPassword",methodName="setSuckerPassword")</annotation>
</bean>

With this setup, the authentication always fails and by debugging (I probably have wrong logging levels set) it is known that CustomSecurityDomain is on blacklist in class loader (org.jboss.classloader.spi.base.BaseClassLoader). When the custom.authentication.LoginModule is separated into separate jar and deployed on its own, then everything (authentication) work just fine, but then there are different reasons that prevent usage of this setup. Did somebody faced problem like this? Any solution or advice is welcome!

thanks, Martin

1. Security domain for JMS authentication is blacklisted when implementation is in EAR

alesj Jan 13, 2011 6:31 AM (in response to martin.hynar)

Which AS are you running?

.ear is by default isolated in AS6, hence not seen from DefaultDomain.
If you extract it into separate .jar, then it's shared by DefaultDomain, hence seen by JMS.
Actions
2. Re: Security domain for JMS authentication is blacklisted when implementation is in EAR

martin.hynar Jan 13, 2011 7:39 AM (in response to alesj)

The target platform is JBoss EAP 5.1.0.

How to change the visibility in classloading so that it becomes visible?
Actions
3. Re: Security domain for JMS authentication is blacklisted when implementation is in EAR

alesj Jan 13, 2011 8:11 AM (in response to martin.hynar)

The target platform is JBoss EAP 5.1.0.
Hmm, this is actually not community version, hence official support is who you should be asking this. ;-)

How to change the visibility in classloading so that it becomes visible?
Simple hint anyway:
* http://java.dzone.com/articles/jboss-microcontainer-classloading
* http://community.jboss.org/wiki/JBoss5custommetadatafiles

... but looking at the EAP5.1 config of EarClassLoaderDeployer::isolated, it's already false ...
Actions

Go to original post